The best part of Black Ice is it's easy to read interface to see what hitting the server. I will continue to use it just for that purpose, with an ACL in the router ahead of the server to do the heavy lifting of access control. It is an effective blocker for UDP port probes, when used in conjunction with an ACL which blocks the TCP and IP port probes, so an outsider cannot execute anything. On the other side, I would never use a software application on the server as the primary defense...been there, done that years ago when the Witty.A virus struck.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, January 04, 2008 12:21 PM To: [email protected] Subject: Re: [Declude.JunkMail] Blackice Server EndOfLife - need replacement I'm sure that there are many opinions around here, but I don't think that servers should be the place where you enforce security with a software firewall. Although you might like some of what it tells you, I would think that a firewall and AV software would do the trick perfectly fine. Of course you can tune your firewall to your heart's content, and do things like limit outgoing ports, run IDS, etc. If you have enough servers, you might also want to set up off-site vulnerability scanning on a scheduled basis. If you are worried about inside your network you should set up VLANs. As we saw a couple of years ago with Blackice, and then again last year with Symantec Corporate, software that intercepts packets from the network are themselves vulnerable to exploitation, and this is a good reason to use a hardware firewall as at least a first level of defense, and only allow in what is necessary. Matt Howard Smith (N.O.R.A.D.) wrote: To replace blackice functions as to load on a server and monitor and block what applications sends out on individual ports . I have an offending app or task that trying to send out on random ports , I am trying to find it and block it Howard Smith N.O.R.A.D. Inc. P.O. Box 680116 Miami, Florida 33168 www.norad.com www.securetrek.com www.siteshuttle.com www.audiovideotrek.com [EMAIL PROTECTED] Office - (305) NETWORK (638-9675) Sales - (786) 206-0045 Fax 1 - (305) 359-5144 Confidentiality Notice: This email message, including any Attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact [EMAIL PROTECTED] by email and destroy all copies of the original message. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, January 04, 2008 2:25 PM To: [email protected] Subject: Re: [Declude.JunkMail] Blackice Server Settings In relation to spam or in relation to security? My answers would be Alligate (on a separate server) and a firewall, respectively. Matt Howard Smith (N.O.R.A.D.) wrote: ISS no longer supports blackice and it is no longer in production , what are users replacing it with ? Howard Smith . -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, September 27, 2006 5:58 PM To: [email protected] Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Blackice Server Settings I've gotten some requests to post the information on how to use Blackice Server to block email harvesting attacks. So here it is! Before you install Blackice Server you must turn Data Execution Prevention OFF on your server. Blackice and DEP will not coexist. On your server right click on "MY COMPUTER" then go to properties and then go to advanced. Under performance, select the SETTINGS button and then click on the Data Execution Prevention tab. If DEP is listed as enabled for anything, remove it for the listed services. Next, you can install Blackice. When you install Blackice server you should install it with the trusting mode enabled to allow all inbound traffic. I believe it asks you what you want when you install Blackice. I don't recall for sure if it does or not because it has been several years since I installed it. If it doesn't ask you the protection level that you want, after you install blackice you can go into the GUI and go to the firewall tab and under protection level you can select "trusting: allow all inbound traffic" Blackice should run without causing you any trouble so you should have time to complete the other configuration items. The whole install and configuration only took me about 15 minutes. I installed it on a dedicated email server. I don't have any experience with Blackice on a server running other stuff besides email and webmail. Also, you can always stop the Blackice service if you hit a problem. Blackice does its thing by watching traffic across the network card. If you stop Blackice then its effectively as if Blackice isn't installed on the server. When the service is stopped Blackice is gone and all is back as it was before. Attached is the issuelist.csv file which comes with Blackice server. Blackice uses this file as a database of different types of attacks. Line 227 had to be modified to indicate an action of IP|RST. The IP|RST tells Blackice to block the IP of the attacker as the action to take. Ignore the comments to the far right of line 227. The comments say to block the attacker if they attempt to send email to 10 non-existent email addresses within 120 seconds. The QTY/Timeframe is actually specified elsewhere. All you need to change in this file is to add IP|RST to line 227. The attached file already has the change. It is from the most current version if Blackice so if you just bought Blackice you can move the attached file into the Blackice directory and you're good to go. Next, in the Blackice GUI you'll want to go to the firewall tab and put a checkmark in front of "Enable Auto Blocking" The GUI updates the firewall.ini file to tell Blackice that auto-blocking is enabled. The line in my firewall.ini is the following: auto-blocking = enabled, 2000, BIgui Next, go to the blackice.ini file and manually edit it to add the following 4 lines: smtp.error.count=6 smtp.error.interval=30 pam.smtp.error.count=6 pam.error.interval=30 The above settings in blackice.ini tells Blackice that if it detects an attempt to send to 6 non-existent email addresses within 30 seconds then it should activate the Email_Error action in line 227 of issuelist.csv. We set the action to be IP|RST (in issuelist.csv) which specifies that the IP should be blocked. So if the QTY/Timeframe is met, the IP is blocked. The block of the IP will automatically go away after a specified time. This is good because an IP is never permanently blocked forever. I believe the IP is removed from the blocklist after 24 hours. I have to find where you specify the length of time that the IP should remain blocked. I'll post that when I find it. Also, on those 4 config lines above you can obviously choose how aggressive you want to be at blocking email harvesting by setting a different error.count and error.interval. I figured 6 attempts at bad addresses in 30 seconds was most certainly someone trying to guess email addresses on our servers. Another thing that you will want to do is go into the Blackice GUI and go to the intrusion detection tab. Here you will want to add your internal and external IP addresses as ranges of IP addresses that you want to trust. If Blackice ever blocks an IP that shouldn't be blocked (say some customer who isn't well-behaved but who is still a customer), through the GUI you can right click on your customer's info in the EVENTS tab and then select the option to trust and accept them. This will prevent them from ever being automatically blocked by Blackice. I know the above is a bit to digest but don't let it scare you. Blackice is a simple install and you can literally have it installed and running and blocking email harvesting in about 15 minutes. Some other advantages is that Blackice has a directory where it places a text file with the IP of the attacker as part of the filename. Over time, you will see patterns of IPs by just looking at the filenames. If there is a range of IPs that seem to be attacking your servers you can then go block them at your firewall. Blackice will also show you in its online GUI all of the attackers and errors they generated. If I see that someone has port scanned us a couple hundred times I may go block them at the firewall to stop them from profiling our servers. If you look at the issuelist.csv, you can see that you can also use Blackice to handle a vast number of other types of attacks. I only use it for the email address harvesting, but it could be used to do a whole lot more. At $300 it's a cheap solution. I very seldom ever look at Blackice. It just does its thing and I forget its even there most of the time! I wrote most of this from memory and I don't believe I missed anything. If you're going to install Blackice, feel free to email me and tell me the time and date you plan to install it. I'll email you my phone number and if you should hit a problem you can give me a call and I 'll walk you through it. Good luck. Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
